机构地区:[1]State Key Laboratory of Cryptology,P.O.Box5159,Beijing 100878,China [2]Guangdong Provincial Key Laboratory of Data Security and Privacy Protection,Jinan University,Guangzhou 510632,China [3]Department of Computer Science and Engineering,Shanghai Jiao Tong University,Shanghai 200240,China [4]Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China
出 处:《Science China(Information Sciences)》2020年第8期143-164,共22页中国科学(信息科学)(英文版)
基 金:National Key Research and Development Program of China(Grant Nos.2017YFB0802005,2018YFB0804105);National Natural Science Foundation of China(Grant No.61602046);National Natural Science Foundation of China(Grant Nos.61872236;61572192);National Natural Science Foundation of China(Grant No.U1536205);Young Elite Scientists Sponsorship Program by CAST(Grant No.2016QNRC001);Opening Project of Guangdong Provincial Key Laboratory of Data Security and Privacy Protection(Grant No.2017B030301004);National Cryptography Development Fund(Grant No.MMJJ20170209);Anhui Initiative in Quantum Information Technologies(Grant No.AHY150100);National Key Research and Development Program of China(Grant No.2017YFB0802005);National Key Research and Development Program of China(Grant No.2017YFB0802005);National Natural Science Foundation of China(Grant No.U1536205).
摘 要:Based on the identity-based encryption(IBE)from lattices by Agrawal et al.(Eurocrypt’10),Micciancio and Peikert(Eurocrypt’12)presented a CCA1-secure public-key encryption(PKE),which has the best known efficiency in the standard model and can be used to obtain a CCA2-secure PKE from lattices by using the generic BCHK transform(SIAM J Comput,2006)with a cost of introducing extra overheads to both computation and storage for the use of other primitives such as signatures and commitments.In this paper,we propose a more efficient standard model CCA2-secure PKE from lattices by carefully combining a different message encoding(which encodes the message into the most significant bits of the LWE’s"secret term")with several nice algebraic properties of the tag-based lattice trapdoor and the LWE problem(such as unique witness and additive homomorphism).Compared to the best known lattice-based CCA1-secure PKE in the standard model due to Micciancio and Peikert(Eurocrypt’12),we not only directly achieve the CCA2-security without using any generic transform(and thus do not use signatures or commitments),but also reduce the noise parameter roughly by a factor of 3.This improvement makes our CCA2-secure PKE more efficient in terms of both computation and storage.In particular,when encrypting a 256-bit(respectively,512-bit)message at 128-bit(respectively,256-bit)security,the ciphertext size of our CCA2-secure PKE is even 33%–44%(respectively,36%–46%)smaller than that of their CCA1-secure PKE.
关 键 词:LATTICE public-key encryption chosen ciphertext security standard model
分 类 号:TN918.4[电子电信—通信与信息系统]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
